You are one of a fairly small number of people worldwide who can be considered to be experts in computer security, yet you keep admitting here that this guy's approach is theoretically valid, and you just have a problem with it practically.

I really don't understand that.

How is that not like my saying, "Well, sure, theoretically I should be hashing the passwords in my database, but practically speaking we can't expect that it's going to matter anyway."?

You are making an allusion to the perennial controversy over "theoretical" vs. "practical" vulnerabilities in my field. That's an interesting point, but unfortunately not a valid one.

In security, "theoretical" vs. "practical" is a fig leaf used (mostly) by vendors to avoid facing up to their responsibilities after having shipped flawed products. Calling something "theoretical" shields people from culpability, mostly in public relations, but clearly isn't actually an assessment of the real-world impact of most vulnerabilities. It's spin.

But the fact that the words "theoretical" and "practical" can be used as spin doesn't mean the concepts of "theory" and "practice" are inherently spin; the reality is quite the opposite. Outside of computer security, we'd be well advised to use those words more; our adhesion to the notion that all theoretical threats are practical is probably a major component of the "security theater" trend that has us all getting electronically strip searched in airports.

Yeah, I see what you're getting at. For my part, while I'm interested in computer security, I'm more interested in legal (or "real-life", or "social", or what-have-you) security. So, I'd be more inclined to say that when there's a theoretical legal attack, it should be handled as though it were a practical one.

I recently had a close friend go through the court system on multiple felony charges. That particular introduction to the legal system was eye-opening.

I'd be inclined to say that when there's a theoretical legal attack, it should be handled as though it were a practical one.

The real flaw in this argument is that as soon as you mark yourself out as "that guy who's being a dick" you attract a lot of attention, and you're more likely to wind up in court on some other charge.

For instance, there's a very high probability once you've started being a dick that they'll decide to thoroughly search your suitcase. Have you accurately reported the value of all goods acquired overseas on your customs declaration form? If you haven't (or even if you have but they feel like quibbling over the value of some of those goods, or if they suspect that some of the goods acquired in the US were acquired overseas) then you could potentially wind up getting charged over that.

The real flaw in this argument is that as soon as you mark yourself out as "that guy who's being a dick" you attract a lot of attention, and you're more likely to wind up in court on some other charge.

But doing the right thing can also get you into trouble. Just as Pascal Abidor.

Another way to say that is that there's no such thing as a "theoretical" vulnerability. There's either a working exploit, or there is not and we can test it. In physical security, though, there are plenty of movie plot threats that nobody has ever actually tried and which are not, in fact, practical.

With software, you can have the computer try millions of times to go after that one crazy race condition. Meanwhile, your average crazy bomber generally has one chance to get it right before everyone on the plane attacks and subdues him.